From: djm@openbsd.org Date: Mon, 29 Sep 2025 02:32:15 +0000 (+0000) Subject: upstream: kbd-interactive device names should be matched against X-Git-Tag: V_10_1_P1~28 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=bcd88ded2fff97652d4236405a3354ca66f90f7e;p=thirdparty%2Fopenssh-portable.git upstream: kbd-interactive device names should be matched against the full device name, not a prefix. Doesn't matter in practice as there is only one kbd-int device supported (PAM xor BSD auth), and an attacker would still need to successfully authenticate against an incorrectly-selected device. reported by ashamedbit, NobleMathews; ok deraadt@ OpenBSD-Commit-ID: cf75d4f99405fbb41354c4ae724a3b39a3b58f82 --- diff --git a/auth2-chall.c b/auth2-chall.c index 021df8291..5af8b0945 100644 --- a/auth2-chall.c +++ b/auth2-chall.c @@ -1,4 +1,4 @@ -/* $OpenBSD: auth2-chall.c,v 1.54 2020/10/18 11:32:01 djm Exp $ */ +/* $OpenBSD: auth2-chall.c,v 1.55 2025/09/29 02:32:15 djm Exp $ */ /* * Copyright (c) 2001 Markus Friedl. All rights reserved. * Copyright (c) 2001 Per Allansson. All rights reserved. @@ -154,7 +154,7 @@ kbdint_next_device(Authctxt *authctxt, KbdintAuthctxt *kbdintctxt) { size_t len; char *t; - int i; + size_t i; if (kbdintctxt->device) kbdint_reset_device(kbdintctxt); @@ -165,11 +165,14 @@ kbdint_next_device(Authctxt *authctxt, KbdintAuthctxt *kbdintctxt) if (len == 0) break; for (i = 0; devices[i]; i++) { + if (i >= sizeof(kbdintctxt->devices_done) * 8) + fatal_f("internal error: too may devices"); if ((kbdintctxt->devices_done & (1 << i)) != 0 || !auth2_method_allowed(authctxt, "keyboard-interactive", devices[i]->name)) continue; - if (strncmp(kbdintctxt->devices, devices[i]->name, + if (strlen(devices[i]->name) == len && + memcmp(kbdintctxt->devices, devices[i]->name, len) == 0) { kbdintctxt->device = devices[i]; kbdintctxt->devices_done |= 1 << i;